Your submission was sent successfully! Close

CVE-2016-1899

Published: 20 January 2016

CRLF injection vulnerability in the ui-blob handler in CGit before 0.12 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks or cross-site scripting (XSS) attacks via CRLF sequences in the mimetype parameter, as demonstrated by a request to blob/cgit.c.

Priority

Medium

CVSS 3 base score: 3.7

Status

Package Release Status
cgit
Launchpad, Ubuntu, Debian
Upstream
Released (0.11.2.git2.3.2-1.1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(0.11.2.git2.3.2-1.1)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(0.11.2.git2.3.2-1.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
upstream: http://git.zx2c4.com/cgit/commit/?id=1c581a072651524f3b0d91f33e22a42c4166dd96